b'        EVALUATION REPORT\n\n         Independent Evaluation of NRC\xe2\x80\x99s Implementation\n        of the Federal Information Security Management Act\n                   (FISMA) for Fiscal Year 2012\n\n\n                   OIG-13-A-03      November 8, 2012\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c\x0c                           Independent Evaluation of\n                          NRC\xe2\x80\x99s Implementation of the\n                 Federal Information Security Management Act\n                              for Fiscal Year 2012\n\n\n\n\n                                Contract Number: GS-00F-0001N\n                                 Delivery Order Number: 20291\n\n                                                   November 7, 2012\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                           Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n      The U.S. Nuclear Regulatory Commission (NRC) Office of the Inspector General (OIG)\n      retained Richard S. Carson & Associates, Inc. (Carson Associates), to perform an\n      independent evaluation of NRC\xe2\x80\x99s implementation of the Federal Information Security\n      Management Act (FISMA) for fiscal year (FY) 2012. This report presents the results of\n      that independent evaluation. Carson Associates also submitted responses to the Office of\n      Management and Budget\xe2\x80\x99s (OMB) annual FISMA reporting questions for OIGs via\n      OMB\xe2\x80\x99s automated collection tool.\n\nOBJECTIVE\n\n      The objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s\n      implementation of FISMA for FY 2012.\n\nRESULTS IN BRIEF\n\n      Program Enhancements and Improvements\n\n      NRC has continued to make improvements to its information technology (IT) security\n      program and progress in implementing the recommendations resulting from previous\n      FISMA evaluations. The agency has accomplished the following since the FY 2011\n      FISMA independent evaluation:\n\n             The agency continued to maintain current authorizations to operate for all agency\n             and contractor systems. In FY 2012, the agency completed security assessments\n             and authorizations of eight systems. As of the completion of fieldwork for FY\n             2012, all 20 operational NRC information systems and both systems used or\n             operated by a contractor or other organization on behalf of the agency had a\n             current authorization to operate.\n             The agency completed or updated security plans for all agency and contractor\n             systems.\n             The agency completed annual security control testing for 16 agency systems and\n             both contractor systems. Two agency systems are currently undergoing security\n             test and evaluation in support of system reauthorization. The remaining two\n             systems completed annual security control testing late in FY 2011 and are\n             currently undergoing FY 2013 annual security control testing.\n             The agency completed annual contingency plan testing for all agency contractor\n             systems, and updated the contingency plans for 18 agency systems and both\n             contractor systems.\n\n\n\n\n                                              i\n\x0c                                                                        Independent Evaluation of\n                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n            The agency issued several updated Computer Security Office documents,\n            processes, and standards, including the NRC Information Security Program Plan,\n            Continuity of Operations Plan, and several incident response documents.\n\n     Program Weaknesses\n\n     While the agency has continued to make improvements in its IT security program and has\n     made progress in implementing the recommendations resulting from previous FISMA\n     evaluations, the independent evaluation identified the following information system\n     security program weaknesses.\n\n            The NRC system inventory is not up-to-date.\n            Information system component inventories at NRC remote locations are not up-\n            to-date.\n            The NRC plan of action and milestone (POA&M) process is not consistently\n            followed.\n            The NRC POA&M tool does not consistently implement key OMB and NRC\n            POA&M requirements.\n            Contingency planning for the NRC IT environment needs improvement.\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     NRC\xe2\x80\x99s information system security program and implementation of FISMA. A\n     consolidated list of recommendations appears on page 15 of this report.\n\nAGENCY COMMENTS\n\n     At an exit conference on November 1, 2012, agency officials agreed with the report\xe2\x80\x99s\n     findings and recommendations. Subsequent to the exit conference, the agency provided\n     informal comments, which the OIG incorporated as appropriate. The agency opted not to\n     submit formal comments.\n\n\n\n\n                                            ii\n\x0c                                                                         Independent Evaluation of\n                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nCarson Associates   Richard S. Carson and Associates, Inc.\nCOOP                Continuity of Operations Plan\nCSO                 Computer Security Office\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nISCP                Information System Contingency Plan\nIT                  Information Technology\nNIST                National Institute of Standards and Technology\nNRC                 Nuclear Regulatory Commission\nNSICD               NRC System Information Control Database\nOIG                 Office of the Inspector General\nOIS                 Office of Information Services\nOMB                 Office of Management and Budget\nPOA&M               plan of action and milestones\nSP                  Special Publication\n\n\n\n\n                                            iii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                                                              Independent Evaluation of\n                                                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\nAbbreviations and Acronyms ..................................................................................... iii\n\n1 Background .............................................................................................................. 1\n2 Objective ................................................................................................................... 1\n3 Findings .................................................................................................................... 2\n  3.1 FISMA Systems Inventory .............................................................................. 2\n            Finding #1: NRC System Inventory Is Not Up-to-Date............................................................... 3\n\n\n\n    3.2     Configuration Management ............................................................................ 5\n            FINDING #2: Information System Component Inventories at NRC Remote Locations Are\n               Not Up-To-Date ................................................................................................................... 5\n\n\n\n    3.3     Plan of Action and Milestones (POA&M) ....................................................... 7\n            Finding #3: NRC POA&M Process Is Not Consistently Followed ............................................. 7\n\n\n\n            Finding #4: POA&M Tool Does Not Consistency Implement Key OMB and NRC POA&M\n                Requirements........................................................................................................................ 9\n    3.4     Contingency Planning .................................................................................. 10\n\n\n            FINDING #5: Contingency Planning for the NRC IT Environment Needs Improvement ........ 11\n4 Consolidated List of Recommendations ............................................................. 15\n5 Agency Comments ................................................................................................ 17\n\n\nAppendix.                 OBJECTIVE, SCOPE, AND METHODOLOGY ............................................ 19\n\n\n\n\n                                                                        v\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              vi\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n1       Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included the\nFederal Information Security Management Act (FISMA) of 2002.1 FISMA outlines the\ninformation security management requirements for agencies, which include an annual\nindependent evaluation of an agency\xe2\x80\x99s information security program2 and practices to determine\ntheir effectiveness. This evaluation must include testing the effectiveness of information security\npolicies, procedures, and practices for a representative subset of the agency\xe2\x80\x99s information\nsystems. The evaluation also must include an assessment of compliance with FISMA\nrequirements and related information security policies, procedures, standards, and guidelines.\nFISMA requires the annual evaluation to be performed by the agency\xe2\x80\x99s Office of the Inspector\nGeneral (OIG) or by an independent external auditor.3 Office of Management and Budget\n(OMB) memorandum M-12-20, FY 2012 Reporting Instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, dated October 2, 2012, requires\nOIG to report their responses to OMB\xe2\x80\x99s annual FISMA reporting questions for OIGs via an\nautomated collection tool.\n\nThe U.S. Nuclear Regulatory Commission (NRC) OIG retained Richard S. Carson & Associates,\nInc. (Carson Associates), to perform an independent evaluation of NRC\xe2\x80\x99s implementation of\nFISMA for fiscal year (FY) 2012. This report presents the results of that independent evaluation.\nCarson Associates also submitted responses to OMB\xe2\x80\x99s annual FISMA reporting questions for\nOIGs via OMB\xe2\x80\x99s automated collection tool. A consolidated list of recommendations appears on\npage 15.\n\n2       Objective\n\nThe objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s implementation\nof FISMA for FY 2012. The report appendix contains a description of the evaluation objective,\nscope, and methodology.\n\n\n\n\n1\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the\n  E-Government Act of 2002 (Public Law 107-347) and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n2\n  NRC uses the term \xe2\x80\x9cinformation security program\xe2\x80\x9d to describe its program for ensuring that various types of\n  sensitive information are handled appropriately and are protected from unauthorized disclosure in accordance with\n  pertinent laws, Executive orders, management directives, and applicable directives of other Federal agencies and\n  organizations. For the purposes of FISMA, the agency uses the term information technology (IT) security\n  program.\n3\n  While FISMA uses the language \xe2\x80\x9cindependent external auditor,\xe2\x80\x9d OMB Memorandum M-04-25, FY 2004\n  Reporting Instructions for the Federal Information Security Management Act, clarified this requirement by stating,\n  \xe2\x80\x9cWithin the context of FISMA, an audit is not contemplated. By requiring an evaluation but not an audit, FISMA\n  intended to provide Inspectors General some flexibility.\xe2\x80\xa6\xe2\x80\x9d\n\n\n                                                         1\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n3      Findings\n\nNRC has continued to make improvements to its information technology (IT) security program\nand progress in implementing the recommendations resulting from previous FISMA evaluations.\nThe agency has accomplished the following since the FY 2011 FISMA independent evaluation:\n\n       The agency continued to maintain current authorizations to operate for all agency and\n       contractor systems. In FY 2012, the agency completed security assessments and\n       authorizations of eight systems. As of the completion of fieldwork for FY 2012, all 20\n       operational NRC information systems and both systems used or operated by a contractor\n       or other organization on behalf of the agency had a current authorization to operate.\n       The agency completed or updated security plans for all agency and contractor systems.\n       The agency completed annual security control testing for 16 agency systems and both\n       contractor systems. Two agency systems are currently undergoing security test and\n       evaluation in support of system reauthorization. The remaining two systems completed\n       annual security control testing late in FY 2011 and are currently undergoing FY 2013\n       annual security control testing.\n       The agency completed annual contingency plan testing for all agency contractor systems,\n       and updated the contingency plans for 18 agency systems and both contractor systems.\n       The agency issued several updated Computer Security Office documents, processes, and\n       standards, including the NRC Information Security Program Plan, Continuity of\n       Operations Plan, and several incident response documents.\n\nWhile the agency has continued to make improvements in its IT security program and has made\nprogress in implementing the recommendations resulting from previous FISMA evaluations, the\nindependent evaluation identified the following information system security program\nweaknesses.\n\n       The NRC system inventory is not up-to-date.\n       Information system component inventories at NRC remote locations are not up-to-date.\n       The NRC plan of action and milestone (POA&M) process is not consistently followed.\n       The NRC POA&M tool does not consistently implement key OMB and NRC POA&M\n       requirements.\n       Contingency planning for the NRC IT environment needs improvement.\n\n3.1    FISMA Systems Inventory\n\nFISMA and the National Institute of Standards and Technology (NIST) define the requirements\nfor developing and maintaining an inventory of its information systems. To address findings\nfrom previous independent evaluations regarding the agency\xe2\x80\x99s inventory, the agency developed\nan automated inventory system, the NRC System Information Control Database (NSICD), to\nhouse the inventory of automated information systems. The agency also developed procedures,\nguides, and user manuals that provide guidance for maintaining system inventory records within\n\n\n\n                                               2\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nNSICD. However, the evaluation team found that despite these procedures, guides, and user\nmanuals, the agency\xe2\x80\x99s system inventory is not up-to-date.\n\nFinding #1: NRC System Inventory Is Not Up-to-Date\n\nIn response to recommendations from previous independent evaluations, the agency developed\nan automated inventory system and developed procedures, guides, and user manuals that provide\nguidance for maintaining system inventory records within that system. These procedures, guides\nand user manuals describe the system inventory process, the basic requirements for entering new\nsystem inventory data into NSICD, the methodology for entering data into security records\nwithin NSICD, and instructions on working with system inventory and security program\ninformation in ClearQuest. The agency also provides inventory instructions with its biannual\ninventory update data call. However, despite all of these instructions, the NRC system inventory\nis not up-to-date.\n\n3.1.1 NRC Inventory Requirements\n\nNRC has several procedures, guide, and user manuals that provide guidance for maintaining\nsystem inventory records within NSICD. These include:\n\n       OIS-9000D-0002, Revision 0; Entering New System Inventory Data in the NRC System\n       Information Control Database (NSICD), June 4, 2007 \xe2\x80\x93 describes the basic requirements\n       for entering new system inventory data into NSICD.\n       Administrative Guide for Entering Data Into the NSICD Security Record, Version 1.4,\n       June 22, 2012 \xe2\x80\x93 describes the methodology for entering data into security records within\n       NSICD.\n       NSICD User Guide \xe2\x80\x93 Using Rational ClearQuest, March 2, 2011 \xe2\x80\x93 describes the system\n       inventory process and provides instructions on working with system inventory and\n       security program information in ClearQuest.\n\nThe agency also provides inventory instructions with its biannual inventory update data call, as\ndescribed in OIS-9000D-0001, Biannual Automated Information System Inventory Update\nProcedure, dated March 5, 2007. Twice a year (typically in January and August), the agency\nsends out a request to update the information contained in NSICD for automated information\nsystems used by each NRC office.\n\nSeveral organizations are responsible for maintaining system inventory records within NSICD.\nAccording to OIS-9000D-0002, the Enterprise Architecture team is responsible for adding any\nnew system to the system inventory records in NSICD and the Computer Security Team should\nnotify the system inventory maintainer if documentation is submitted for a system that cannot be\nidentified within the system inventory records of NSICD. The Administrative Guide for Entering\nData Into the NSICD Security Record states that data to be entered into the security record comes\nfrom the security documents submitted to the Computer Security Office (CSO) and from the\ndocuments created by the CSO. The NSICD User Guide states that system owners notify the\nOffice of Information Services (OIS) of changes in the system inventory, in coordination with\n\n\n\n                                                3\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nthe Office of the Chief Financial Officer, through the biannual data calls as part of the\ncapitalization of hardware and software.\n\n3.1.2 Agency Procedures Are Not Followed\n\nCarson Associates is also conducting information security risk evaluations of NRC remote\nlocations (i.e., those NRC offices located outside of the NRC headquarters complex). During\nsite visits to three of the remote locations, the evaluation team compared the agency\xe2\x80\x99s inventory\ndata from NSICD with the systems actually in place in those locations. The evaluation team\nfound that not all systems in place at NRC remote locations are reflected in NSICD.\n\nFor example, a laptop system in one of the remote locations, which was authorized to operate\nDecember 1, 2011, is not reflected in NSICD. Authorization of this system to operate should\nhave alerted some organization to enter this system into NSICD, but it is unclear which\norganization has that responsibility. For example, OIS-9000D-0002 states that new systems are\ninitiated by submitting a screening form for a capital planning investment control review.\nHowever, laptop systems typically do not require such a review. In addition, instructions\nincluded with the biannual inventory update data call only ask system owners to update\ninformation extracted from NSICD. The instructions do not include a requirement to notify the\nagency of any new systems that are not reflected in the data call.\n\nTwo of the other remote locations also had some laptops used for processing safeguards\ninformation that were no longer used, but had yet to be surplused. These locations were unaware\nthat the agency was still tracking them as active systems in the agency\xe2\x80\x99s official inventory as\nthey were not included in the data provided to those locations in the biannual inventory update\ndata call. According to the agency, they perform data calls on IT systems that are part of its\nportfolio of systems. The agency does not ordinarily perform a data call on independent\nstandalone hardware, even if the hardware is used as a sensitive processor and has an NSICD\nsystem inventory numbers. The agency considers standalone hardware as assets, not systems.\nTherefore, NRC remote locations were not aware they needed to provide the agency with\nupdated information regarding the status of these laptops or that they were required to follow a\nspecific process for decommissioning these systems.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   1. Update all procedures, guides, and user manuals that provide guidance for maintaining\n      system inventory records within NSICD to clearly define which organization(s) are\n      responsible for adding new system inventory records in NSICD.\n   2. Update the instructions included with the biannual inventory update to require system\n      owners to notify the agency of any new systems that are not reflected in the data call.\n   3. Include all systems in NSICD, including all independent standalone hardware that has an\n      NSICD system inventory number, in future biannual inventory update data calls.\n\n\n\n\n                                                  4\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n3.2    Configuration Management\n\nNIST defines requirements for developing, documenting, and maintaining an inventory of\ninformation system components as part of configuration management for a system. While\ninformation system component inventories exist for individual NRC systems, there are no up-to-\ndate consolidated inventories for the components of these systems located in the remote\nlocations, associated rack diagrams are not up-to-date, and the inventories that do exist do not\nmeet NRC requirements.\n\nFINDING #2: Information System Component Inventories at NRC Remote Locations Are\nNot Up-To-Date\n\nIn addition to headquarters, NRC has remote locations that conduct inspection, enforcement,\ninvestigation, licensing, and emergency response programs for nuclear reactors, fuel facilities,\nand materials licensees. NRC also has a remote location that provides training to meet the\nintegrated NRC staff needs in the curriculum areas of reactor technology, probabilistic risk\nassessment, engineering support, radiation protection, fuel cycle, security and safeguards, and\nregulatory skills. These remote locations house IT system components from multiple NRC\nsystems, including infrastructure and the badging system, as well as NRC-managed systems that\nsupport the remote location. One of the remote locations also houses IT system components\nsupporting the NRC Continuity of Operations Plan (COOP) and IT system components that\nprovide disaster recovery support for some NRC systems and another remote location also\nhouses IT system components that provide disaster recovery support for some NRC systems.\n\nDuring site visits to three NRC remote locations, the evaluation team found that while\ninformation system component inventories exist for individual NRC systems, there are no up-to-\ndate consolidated inventories for the components of these systems located in the remote\nlocations, associated rack diagrams are not up-to-date, and the inventories do not meet NRC\nrequirements.\n\n3.2.1 Requirements for Inventory of System Components\n\nNIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations, requires organizations develop, document, and maintain an\ninventory of information system components. NIST SP 800-53 also requires organizations to\nupdate the inventory of information system components as an integral part of component\ninstallations, removals, and information system updates.\n\nCSO-STD-0020, Organization Defined Values for System Security Controls, requires component\ninventories to include the following elements:\n\n       System Name.\n       Asset Name.\n       Asset Type (e.g., firewall, server, workstation, etc.).\n       Manufacturer.\n\n\n\n                                                  5\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n       Manufacturer Model Number / Version.\n       Manufacturer Serial Number.\n       Asset Tag (if owned/leased by NRC).\n       Unique Host Name (if available the host\xe2\x80\x99s fully qualified domain name should be used).\n       Location (e.g., site, building, and room where the asset is located).\n       Operating System Name.\n       Operating System Version.\n       Licensing Information.\n       License Expiration Date.\n\n3.2.2 Agency Has Not Fully Met Requirements\n\nIT system components located in NRC remote locations are managed by multiple organizations\nand support multiple NRC systems. Even though these components are not all managed by NRC\nstaff at that location, it is important that NRC remote locations have information on these\ncomponents to easily locate and identify them in the event of a security incident or emergency.\n\nDuring site visits to three NRC remote locations, the evaluation team compared inventory\ninformation and rack diagrams provided by NRC staff at these locations with the actual IT\nsystem components located in their server rooms and telecommunications closets. In each of the\nthree remote locations, the evaluation team found that the inventory information provided did not\naccurately reflect all the IT system components in these locations. The evaluation team also\nfound that the rack diagrams were not up-to-date and were missing IT system components\nrecently added to the location. The team also found that the inventories did not include all data\nelements specified in CSO-STD-0020.\n\nNIST SP 800-53 requires organizations to update the inventory of information system\ncomponents as an integral part of component installations, removals, and information system\nupdates. However, NRC has not clearly identified who is responsible for performing these\nactivities in situations where IT system components for multiple NRC systems are located in a\nsingle location such as an NRC remote location. For example, should the agency detect unusual\nnetwork activity originating from a particular network address, it would be important to have a\ncomprehensive and up-to-date inventory of all IT system components\xe2\x80\x99 network addresses so the\nstaff at the remote location can quickly identify, locate, and isolate the IT system component\ninvolved. However, no one has taken ownership of this responsibility, resulting in the outdated\ninformation.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   4. Assign responsibility for ensuring each NRC remote location maintains a consolidated\n      inventory of all the IT system components located in that location, associated rack\n      diagrams are kept up-to-date, and the inventory meets NRC requirements.\n\n\n                                                6\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n      5. Create a consolidated inventory that meets NRC requirements of all the IT system\n         components located in each NRC remote location.\n      6. Update the rack diagrams for each NRC remote location.\n\n3.3      Plan of Action and Milestones (POA&M)\n\nFISMA, OMB, and NIST define the requirements for a POA&M process for planning,\nimplementing, evaluating, and documenting remedial action to address any deficiencies in the\ninformation security policies, procedures, and practices of the agency. In order to meet these\nrequirements, NRC developed CSO-PROS-2016, U.S. NRC POA&M Process, and implemented\nan automated tool to help manage the agency POA&Ms. CSO-PROS-2016 describes the process\nfor NRC to identify, assess, prioritize, and monitor the progress of corrective actions pertaining\nto security weaknesses and provides agency direction for the management and tracking of\ncorrective efforts relative to known weaknesses in IT security controls. The automated tool\nensures the agency\xe2\x80\x99s POA&M procedures are implemented consistently, completely, and\naccurately. However, the evaluation team found that NRC\xe2\x80\x99s POA&M process is not consistently\nfollowed and the agency\xe2\x80\x99s POA&M tool does not implement key OMB and NRC POA&M\nrequirements. As a result, NRC\xe2\x80\x99s POA&Ms are not effective at monitoring the progress of\ncorrective efforts relative to known weaknesses in IT security controls and therefore do not\nprovide an accurate measure of security program effectiveness.\n\nFinding #3: NRC POA&M Process Is Not Consistently Followed\n\nCSO-PROS-2016 describes the process for NRC to identify, assess, prioritize, and monitor the\nprogress of corrective actions pertaining to security weaknesses and provides agency direction\nfor the management and tracking of corrective efforts relative to known weaknesses in IT\nsecurity controls. However, the evaluation team found that NRC\xe2\x80\x99s POA&M process is not\nconsistently followed. As a result, NRC\xe2\x80\x99s POA&Ms are not effective at monitoring the progress\nof corrective efforts relative to known weaknesses in IT security controls.\n\n3.3.1 POA&M Process Requirements\n\nCSO-PROS-2016 describes specific requirements for NRC POA&Ms, including the following:\n\n         POA&Ms must be updated to add vulnerabilities as part of an independent assessment\n         such as security testing and evaluation, continuous monitoring, vulnerability assessment\n         report, security assessment report, security impact assessment, U.S. Government\n         Accountability Office report, or OIG report. These weaknesses must be added to the\n         POA&M as soon as possible, but not to exceed 60 days from the assessor\xe2\x80\x99s report.\n         POA&Ms should be updated within the automated tool by the system owner with the\n         most current information by the 15th of November, February, May, and August. System\n         owners should keep abreast of weakness mitigation activities to ensure the documented\n         status accurately reflects the environment at that particular point in time.\n         Once the scheduled completion date is set, it should not be changed.\n\n\n\n\n                                                 7\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nInstructions included with the annual IT security risk management activities memorandum,\nissued October 14, 2011, required system owners to add three risk management activities and\nrespective due dates to their systems\xe2\x80\x99 POA&M in the agency information assurance tool and\ntrack them to completion. These activities are annual contingency plan testing, annual security\ncontrol testing, and security-related document updates, including annual system security plan\nupdate.\n\n3.3.2 Agency Has Not Fully Met Requirements\n\nThe evaluation team reviewed NRC POA&Ms for all four quarters of FY 2012. As in previous\nindependent evaluations, we found that POA&Ms do not include all known security weaknesses\nand POA&Ms are not updated in a timely manner. We also found that scheduled completion\ndates are being changed and risk management activities are not added to POA&Ms as required.\n\nPOA&Ms Do Not Include All Known Security Weaknesses\n\nCSO-PROS-2016 requires POA&Ms to be updated to add vulnerabilities identified as part of an\nindependent assessment such as security testing and evaluation, continuous monitoring,\nvulnerability assessment report, security assessment report, security impact assessment, U.S.\nGovernment Accountability Office report, or OIG report. These weaknesses must be added to\nthe POA&M as soon as possible, but not to exceed 60 days from the assessor\xe2\x80\x99s report. However,\nthe evaluation team found some IT-related weaknesses were not added to the POA&Ms as\nrequired by agency policy.\n\n       Weaknesses identified during the FY 2012 annual security control testing for four\n       systems were not added to their respective POA&Ms.\n       Recommendations from the FY 2012 contingency plan testing for five systems were not\n       added to their respective POA&Ms.\n       In July 2011, the OIG issued a report on NRC\xe2\x80\x99s shared \xe2\x80\x9cS\xe2\x80\x9d drive. None of the five\n       recommendations from this report have been added to the appropriate POA&M.\n\nPOA&Ms Are Not Updated in a Timely Manner\n\nCSO-PROS-2016 requires POA&Ms to be updated within the automated tool by the system\nowner with the most current information by the 15th of November, February, May, and August.\nThe evaluation team found POA&Ms are not updated in a timely manner. The following are\nsome examples of updates that are not timely:\n\n       Approximately 24 percent of closed weaknesses were not reported closed in the quarter\n       in which they were actually closed.\n       Several weaknesses closed by the OIG almost a year ago have not been reported as\n       closed on the POA&Ms, including 14 weaknesses from the regional reviews conducted in\n       2009.\n       Approximately 12 percent of all weaknesses are being reported as on track when in fact\n       they are delayed.\n\n\n                                                8\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n\n\nScheduled Completion Dates Are Being Changed\n\nCSO-PROS-2016 states that once the scheduled completion date is set, it should not be changed.\nHowever, the evaluation team found multiple instances of changed scheduled completion dates.\nIn several instances, the dates were changed during or shortly after the transition from the\nmanual POA&M process to the new automated tool, or when a previously closed weakness was\nreopened. As a result, weaknesses are being reported as on track when in fact they are actually\ndelayed resulting in inaccurate reporting to OMB.\n\nRisk Management Activities Are Not Added to POA&Ms\n\nInstructions included with the annual IT security risk management activities memorandum\nrequired system owners to add annual contingency plan testing, annual security control testing,\nand security-related document updates, including annual system security plan update to their\nsystems\xe2\x80\x99 POA&Ms. The evaluation team found that these activities were not added to POA&Ms\nfor 7 of the agency\xe2\x80\x99s 22 systems.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   7. Provide refresher training to all staff responsible for implementing NRC\xe2\x80\x99s POA&M\n      process.\n\nFinding #4: POA&M Tool Does Not Consistency Implement Key OMB and NRC POA&M\nRequirements\n\nAs a result of recommendations from the FY 2007 FISMA independent evaluation, the agency\nimplemented a tool for automating the POA&M process. The automated tool was put in place to\nensure the agency\xe2\x80\x99s POA&M procedures are implemented consistently, completely, and\naccurately. However, the evaluation team found that the agency\xe2\x80\x99s POA&M tool does not\nimplement key OMB and NRC POA&M requirements. As a result, NRC\xe2\x80\x99s POA&M process is\nnot consistently implemented.\n\nThe following are some key OMB and NRC requirements for POA&M reporting:\n\n       Scheduled completion dates should not be changed.\n       All weaknesses should have a scheduled completion date.\n       All weaknesses should identify the source of the weakness.\n       All closed weaknesses should have an actual completion date.\n       Weakness should be reported as delayed once the scheduled completion date has passed.\n\nThe evaluation team reviewed NRC POA&Ms for all four quarters of FY 2012 and reviewed the\nPOA&Ms in the agency\xe2\x80\x99s automated tool. The evaluation team found NRC\xe2\x80\x99s POA&M tool\n\n\n\n                                               9\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nallows weaknesses to be created that do not follow OMB and NRC POA&M requirements.\nSpecifically, the tool:\n\n         allows scheduled completion dates to be changed.\n         allows weaknesses to be created without a scheduled completion date.\n         allows weaknesses to be created with no value in the field that identifies the source of the\n         weakness.\n         allows a weakness to be closed without specifying an actual completion date.\n         does not automatically change the status from on track to delayed once the scheduled\n         completion date has passed.\n\nThe tool also allows users to enter actual completion dates in the future and allows users to enter\nan actual completion date when the status is not closed.\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      8. Configure the agency\xe2\x80\x99s automated POA&M tool to do the following: (i) prevent\n         scheduled completion dates from being changed, (ii) prevent weaknesses from being\n         created without a scheduled completion date or weakness source, (iii) prevent weaknesses\n         from being closed without specifying an actual date closed, (iv) prevent users from\n         entering actual completion dates in the future, (v) prevent users from entering an actual\n         completion date when the status is not closed, and (vi) automatically change the\n         weakness status from on track to delayed once the scheduled completion date has passed.\n\n3.4      Contingency Planning\n\nFISMA and NIST require agencies to develop plans and procedures to ensure continuity of\noperations for information systems that support agency operations and assets. NRC has\ndeveloped several types of plans that support these requirements, including the NRC COOP and\ninformation system contingency plans (ISCP). The evaluation team found that contingency\nplanning for the NRC IT environment needs improvement. Specifically, the IT environment\ncontingency plan does not address contingency events that do not require relocation to an\nalternate site, and procedures specific to contingency planning for NRC remote locations are not\nup-to-date. In addition, the COOPs for NRC remote locations that are referenced in the IT\nenvironment contingency plan are not current and only address situations where IT environment\ncomponents at headquarters are not available.\n\n3.4.1 Background\n\nThe NRC IT environment is a general support system that is located throughout NRC\xe2\x80\x99s\nheadquarters campus buildings as well as at NRC remote locations. One of the remote locations\nhas been designated as the alternate processing site for the NRC IT environment. The NRC IT\nenvironment is composed of several subsystems, including common computing services and\n\n\n                                                  10\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nnetwork infrastructure services. Common computing services are a client-server computing\nenvironment consisting of those services available to all NRC employees and contractors via the\n\xe2\x80\x9cNRC Network.\xe2\x80\x9d There is one production file server in each NRC remote location as a part of\nthis subsystem. Network infrastructure services are a distributed enterprise network consisting\nof a network infrastructure supporting interconnected subnets. All interconnected subnets\nfacilitate internal and external office communications for NRC. The infrastructure is composed\nof NRC\xe2\x80\x99s headquarters campus local area network, NRC remote locations, and Resident\nInspector sites. The IT environment contingency plan covers all of these components, even those\nlocated at NRC remote locations. The IT environment contingency plan also includes, as\nattachments, contingency plans for NRC-managed components located in NRC remote locations.\n\n3.4.2 Contingency Planning Requirements and Definitions\n\nInformation system contingency planning normally applies to information systems, and provides\nthe steps needed to recover the operation of all or part of designated information systems at an\nexisting or new location in an emergency. Information system contingency planning fits into a\nmuch broader security and emergency management effort that includes organizational and\nbusiness process continuity, disaster recovery planning, and incident management.\n\nOrganizational mission continuity applies to the mission/business itself; it concerns the ability to\ncontinue critical functions and processes during and after an emergency event. A COOP focuses\non restoring an organization\xe2\x80\x99s mission essential functions at an alternate site and performing\nthose functions for up to 30 days before returning to normal operations. Minor threats or\ndisruptions that do not require relocation to an alternate site are typically not addressed in a\nCOOP.\n\nDisaster recovery plans apply to major, usually physical, disruptions to service that deny access\nto the primary facility infrastructure for an extended period. A disaster recovery plan is an\ninformation system-focused plan designed to restore operability of the target system, application,\nor computer facility infrastructure at an alternate site after an emergency. It may be supported by\nmultiple information system contingency plans to address recovery of impacted individual\nsystems once the alternate facility has been established. It may also support a business\ncontinuity plan or continuity of operations plan by recovering supporting systems for\nmission/business processes or mission essential functions at an alternate location.\n\nDisaster recovery plans address only information system disruptions that require relocation.\nISCPs differ from disaster recovery plans in that the ISCP procedures are developed for recovery\nof the system regardless of site or location. An ISCP can be activated at the system\xe2\x80\x99s current\nlocation or at an alternate site. The ISCP provides key information needed for system recovery,\nincluding roles and responsibilities, inventory information, assessment procedures, detailed\nrecovery procedures, and system testing.\n\nFINDING #5: Contingency Planning for the NRC IT Environment Needs Improvement\n\nThe evaluation team found that contingency planning for the NRC IT environment needs\nimprovement. Specifically, the IT environment contingency plan does not address contingency\nevents that do not require relocation to an alternate site, and procedures specific to contingency\n\n\n                                                 11\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nplanning for NRC remote locations are not up-to-date. In addition, the COOPs for NRC remote\nlocations that are referenced in the IT environment contingency plan are not current and address\nonly situations where IT environment components at headquarters are not available.\n\nThe NRC IT environment contingency plan provides steps required to recover the operation of\nIT environment components at the alternate processing site following a service\ndisruption/emergency. The IT environment contingency plan does not describe restoring IT\nenvironment components using alternate equipment or performing some or all of the affected\nbusiness processes using alternate processing (manual) means (typically acceptable for only\nshort-term disruptions). For example, the contingency plan does not address contingency events\nthat last less than 24 hours, such as the failure of a disk drive or power supply, or corruption of a\ndatabase.\n\nThe evaluation team also found that contingency planning procedures specific to NRC remote\nlocations are not up-to-date in the following ways:\n\n   1. The list of IT environment servers supporting NRC remote locations found in Appendix\n      H of the IT environment contingency plan is not up-to-date.\n   2. The contingency plans for NRC remote locations that are attached to the IT environment\n      contingency plan are not up-to-date and do not cover all NRC-managed servers in those\n      locations. For example, the contingency plans for three NRC remote locations have not\n      been updated to reflect the new addresses of locations that have moved in the past few\n      years.\n   3. The IT environment contingency plan also does not include any contingency procedures\n      for the IT environment and other IT components supporting one NRC remote location.\n\nCOOPs for NRC remote locations that are referenced in Appendix G of the IT environment\ncontingency plan are out-of-date and refer only to situations where headquarters is unable to\nsupport IT environment components at the remote locations due to the destruction of the\nheadquarters facility. These COOPs enable NRC staff in NRC remote locations to continue to\nuse the enterprise e-mail system, remote access, and the Internet (and Internet E-mail).\nHowever; they do not address situations where the IT environment at an NRC remote location is\nunavailable for any reason. The IT environment contingency plan also does not include any\nCOOP for the IT environment and other IT components supporting one NRC remote location.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   9. Update the IT environment contingency plan to include procedures for responding to\n       short-term disruptions (those that last less than 24 hours), such as restoring components\n       using alternate equipment or performing some or all of the affected business processes\n       using alternate processing (manual) means.\n   10. Update the IT environment contingency plan to update contingency planning procedures\n       specific to NRC remote locations that are not up-to-date. Specifically, update the list of\n       IT environment servers supporting NRC remote locations that are referenced in Appendix\n\n\n                                                  12\n\x0c                                                                         Independent Evaluation of\n                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n    H of the IT environment contingency plan and update the contingency plans for NRC\n    remote locations that are attached to the IT environment contingency plan.\n11. Update the IT environment contingency plan to include contingency procedures for the\n    IT environment and other IT components supporting the one NRC remote location for\n    which these procedures are missing.\n12. Update the COOPs for NRC remote locations that are referenced in Appendix G of the IT\n    environment contingency plan to include current IT environment configurations at NRC\n    remote locations and to address situations where the IT environment at those locations is\n    unavailable for any reason.\n13. Develop a COOP for the IT environment and other IT components supporting the one\n    NRC remote location that does not have a COOP.\n\n\n\n\n                                           13\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              14\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Update all procedures, guides, and user manuals that provide guidance for maintaining\n        system inventory records within NSICD to clearly define which organization(s) are\n        responsible for adding new system inventory records in NSICD.\n    2. Update the instructions included with the biannual inventory update to require system\n        owners to notify the agency of any new systems that are not reflected in the data call.\n    3. Include all systems in NSICD, including all independent standalone hardware that has an\n        NSICD system inventory number, in future biannual inventory update data calls.\n    4. Assign responsibility for ensuring each NRC remote location maintains a consolidated\n        inventory of all the IT system components located in that location, associated rack\n        diagrams are kept up-to-date, and the inventory meets NRC requirements.\n    5. Create a consolidated inventory that meets NRC requirements of all the IT system\n        components located in each NRC remote location.\n    6. Update the rack diagrams for each NRC remote location.\n    7. Provide refresher training to all staff responsible for implementing NRC\xe2\x80\x99s POA&M\n        process.\n    8. Configure the agency\xe2\x80\x99s automated POA&M tool to do the following: (i) prevent\n        scheduled completion dates from being changed, (ii) prevent weaknesses from being\n        created without a scheduled completion date or weakness source, (iii) prevent weaknesses\n        from being closed without specifying an actual date closed, (iv) prevent users from\n        entering actual completion dates in the future, (v) prevent users from entering an actual\n        completion date when the status is not closed, and (vi) automatically change the\n        weakness status from on track to delayed once the scheduled completion date has passed.\n    9. Update the IT environment contingency plan to include procedures for responding to\n        short-term disruptions (those that last less than 24 hours), such as restoring components\n        using alternate equipment or performing some or all of the affected business processes\n        using alternate processing (manual) means.\n    10. Update the IT environment contingency plan to update contingency planning procedures\n        specific to NRC remote locations that are not up-to-date. Specifically, update the list of\n        IT environment servers supporting NRC remote locations that are referenced in Appendix\n        H of the IT environment contingency plan and update the contingency plans for NRC\n        remote locations that are attached to the IT environment contingency plan.\n    11. Update the IT environment contingency plan to include contingency procedures for the\n        IT environment and other IT components supporting the one NRC remote location for\n        which these procedures are missing.\n    12. Update the COOPs for NRC remote locations that are referenced in Appendix G of the IT\n        environment contingency plan to include current IT environment configurations at NRC\n        remote locations and to address situations where the IT environment at those locations is\n        unavailable for any reason.\n    13. Develop a COOP for the IT environment and other IT components supporting the one\n        NRC remote location that does not have a COOP.\n\n\n                                                15\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              16\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n5      Agency Comments\n\nAt an exit conference on November 1, 2012, agency officials agreed with the report\xe2\x80\x99s findings\nand recommendations. Subsequent to the exit conference, the agency provided informal\ncomments, which the OIG incorporated as appropriate. The agency opted not to submit formal\ncomments.\n\n\n\n\n                                              17\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              18\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nAppendix.          OBJECTIVE, SCOPE, AND METHODOLOGY\n\nOBJECTIVE\n\nThe objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s implementation\nof FISMA for FY 2012.\n\nSCOPE\n\nThe evaluation focused on reviewing the agency\xe2\x80\x99s implementation of FISMA for FY 2012. The\nevaluation included an assessment of compliance with FISMA requirements and related\ninformation security policies, procedures, standards, and guidelines, and a review of information\nsecurity policies, procedures, and practices of a representative subset of the agency\xe2\x80\x99s information\nsystems, including contractor systems and systems provided by other Federal agencies. Three\nagency systems and one contractor system were selected for evaluation.\n\nThe evaluation was conducted at NRC headquarters from May 2012 through September 2012.\nAny information received from the agency subsequent to the completion of fieldwork was\nincorporated when possible. Throughout the evaluation, evaluators were aware of the potential\nfor fraud, waste, or misuse in the program.\n\nMETHODOLOGY\n\nRichard S. Carson & Associates, Inc., conducted an independent evaluation of NRC\xe2\x80\x99s\nimplementation of FISMA for FY 2012. In addition to an assessment of compliance with\nFISMA requirements and related information security policies, procedures, standards, and\nguidelines, the evaluation included an assessment of the following topics specified in OMB\xe2\x80\x99s FY\n2012 Inspector General FISMA Reporting Metrics.\n\n        Continuous Monitoring Management.\n        Configuration Management.\n        Identity and Access Management.\n        Incident Response and Reporting.\n        Risk Management.\n        Security Training.\n        Plan of Action and Milestones.\n        Remote Access Management.\n        Contingency Planning.\n        Contractor Systems.\n        Security Capital Planning.\n\n\n\n\n                                                19\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2012\n\n\nTo conduct the independent evaluation, the team reviewed the following:\n\n       NRC policies, procedures, and guidance specific to NRC\xe2\x80\x99s IT security program and its\n       implementation of FISMA, and to the 11 topics specified in OMB\xe2\x80\x99s reporting metrics.\n       Security assessment and authorization documents for the four systems selected for\n       evaluation during the FY 2012 independent evaluation, including security test and\n       evaluation reports and vulnerability assessment reports prepared in support of security\n       test and evaluation.\n       Security categorizations, security plans, contingency plans, contingency plan test reports,\n       and authorization to operate memoranda for all agency systems.\n       Annual security control testing reports for all agency systems.\n       Annual security control testing report for the agency\xe2\x80\x99s common controls, as controls such\n       as incident response, security training, and security capital planning are partially provided\n       at the agency level for all NRC information systems.\n\nWhen reviewing security test and evaluation and annual security control testing reports, the team\nfocused on security controls specific to the 11 topics specified in OMB\xe2\x80\x99s reporting metrics.\n\nAll analyses were performed in accordance with guidance from the following:\n\n       NIST standards and guidelines.\n       Management Directive and Handbook 12.5, NRC Automated Information Security\n       Program.\n       NRC Computer Security Office policies, processes, procedures, standards, and\n       guidelines.\n       NRC OIG audit guidance.\n\nThe evaluation work was conducted by Jane M. Laroussi, CISSP, and Virgil Isola, CISSP, from\nRichard S. Carson & Associates, Inc.\n\n\n\n\n                                                20\n\x0c'